How a Cloud Security Broker Reduces SaaS App Risks – SASE Part 4


Data exposure from SaaS and cloud applications is an increasing risk factor facing businesses today. Depending on where your organization is along its digital transformation, multi-cloud environments and cloud applications are likely being used for critical business operations.

There are good reasons to move to SaaS apps, such as their simplicity, reduction of administration, and cost reductions. Since the advent of cloud computing, applications like Microsoft Office, Salesforce, and Box™ have made themselves indispensable to modern business.

As with most changes, there are tradeoffs and compromises that need to be evaluated when considering SaaS apps, including the cloud’s lack of visibility and the security risks that come with it. These are further complicated by new threats, like the rise of shadow IT and unsanctioned apps, that were not as prevalent in on-premises security infrastructure.

As one piece of a multifaceted SASE solution, a cloud access security broker (CASB) can help to reduce the risks of using SaaS apps, whilst still reaping the benefits of enhanced data control. CASB provides protection to users and critical data through unified security policy enforcement across multi-cloud applications.

What is CASB?

CASB is a cloud-specific security solution used to monitor cloud infrastructure, identify potential threats of high-risk apps, detect unusual behavior and ransomware, and take remedial action to enable more critical data control.

With many different specific functions between vendors to solve challenges in different ways, the key element of every CASB is that it acts as an intermediary between users and cloud service providers. The broker works to restore the visibility and control that is lost when resources are moved off-premises.

As a one-stop enforcement center, consolidating multiple layers of security policy and applying them universally to every user and resource that connects to the cloud, CASB becomes a critical capability for any organization. Using this array of capabilities, including data identification and identity management, the CASB applies security rules set by administrators to secure the organizations data and reduce the risk of spills or loss.


Countering Shadow IT

The use of unauthorized software presents a serious risk. This brings the issue of shadow IT back to center stage—once a somewhat manageable problem has now become an unwieldly challenge for administrators tasked with securing business without slowing it down.

CASB provides granular visibility to user access, activity, and data. The implicit enforcement of policy delivered through the in-line nature of the capability covers every device connecting to cloud resources, including unmanaged smartphones and personal laptops. In securing these connections, the CASB provides the administrator with a complete view of the cloud applications being used and their usage pattern, without creating friction which can hamper productivity.

Securing Cloud Account Compromise

One of the core components of any enterprise network is the account and identity management system. Where an on-premises Active Directory service would have previously provided this capability, with separate applications often using another independent system, cloud provided identity is now a preferred choice.

This cloud-hosted identity enables capabilities such as federated access and single sign-on, greatly simplifying the management of enterprise accounts. However, now that this critical system is more pervasively used, the risks associated with it increase.

Even the most popular and reliable applications contain multiple vulnerabilities which attackers may exploit to breach the corporate network and steal critical or sensitive data. To prevent this, organizations need to streamline their security efforts and monitor user behavior to protect both their employees and enhance data control.

A CASB can watch for anomalous usage in your environment, keeping tabs on suspicious activity to respond to breaches more quickly and minimize their damage. As an in-line tool, CASB can actively reduce the risk of a breach by identifying anomalous use of applications, the misuse of accounts, or data use abnormalities. For example, these factors, amongst others, can provide indications of potential incidents and CASB can thwart them before they begin by simply locking the account to remove access.

Addressing Security Gaps for Third-Party Services

While cloud service providers take every measure to secure the data you store on their services, under the shared responsibility model it falls to your organization to protect the network and users. Given the ever-growing attack surface, password changes and multi-factor authentication might not be enough anymore.

Deploying a CASB restores control to your organization, allowing you to enforce policies for users and data by widely applying security policies to suit your specific needs.

CASB’s Role in SASE Architecture

SASE architecture offers a cohesive security solution by combining capabilities from two distinct areas: network and security.

Read More HERE